Bug 1287745 - RFE: Add more fields to use composing audit rules to the exclude filter
RFE: Add more fields to use composing audit rules to the exclude filter
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
Unspecified Unspecified
low Severity low
: ---
: ---
Assigned To: Paul Moore
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2015-12-02 10:13 EST by Steve Grubb
Modified: 2016-06-02 15:43 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-06-02 15:43:34 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Steve Grubb 2015-12-02 10:13:00 EST
Description of problem:
The exclude filter was created a long time ago to filter out SE Linux AVC's to meet the Common Criteria profile for CAPP. Currently the only field that can be used for filtering is the msgtype field. There are times when an admin may want to exclude events coming from user space or syscall events using uid, auid, session id, or even selinux types.

The lowest common denominator is the credentials that come from netlink during user space originating events. It might be possible to combine the filters for user and exclude which would give a little more flexibility in writing rules for the exclude filter. The only issue is the semantics are different between them. The user filter passes selected events where the exclude deletes selected events.
Comment 1 Paul Moore 2016-04-06 19:28:55 EDT
Upstream issue:

 * https://github.com/linux-audit/audit-kernel/issues/5
Comment 2 Paul Moore 2016-06-02 15:43:34 EDT
Closing this as we are tracking upstream RFEs on GitHub now, see link on comment #1.

Note You need to log in before you can comment on or make changes to this bug.